[ mailman-Bugs-1263239 ] Mailman on SSL sends passwords in plain text

SourceForge.net noreply at sourceforge.net
Thu Aug 18 20:09:13 CEST 2005


Bugs item #1263239, was opened at 2005-08-18 17:25
Message generated for change (Comment added) made by doolyo
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1263239&group_id=103

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web/CGI
Group: None
Status: Open
Resolution: None
Priority: 8
Submitted By: Daniel (doolyo)
Assigned to: Nobody/Anonymous (nobody)
Summary: Mailman on SSL sends passwords in plain text

Initial Comment:
I have tried putting Mailman on a secure path of my 
server on an https url. It seemed to work approximately 
when adding the following directive in apache:

RewriteCond          %{HTTPS} !=on
RewriteRule     /mailman/(.*) 
https://www\.mysite\.com/mailman/$1 [R]

However, I have sniffed the TCP/HTTP traffic during a list 
creation and I have seen that all the form is posted IN 
CLEAR. This is normal in fact as we send that to the 
http link first (see Bug Request #1263219). Therefore 
the whole test is sent in clear and only afterwards the 
client receives back the document move to https from 
apache to redirect to the proper page.

I think that this could be solved if all links of the 
mailman binaries (admin, create and so forth) are taking 
dynamically the link specified in the mm_cfg.py, in the 
DEFAULT_URL_HOST tag.

However maybe there is another clean way of putting 
that on a secure url. If so I would be interested in how to 
do that because I didn't find anything about that subject 
appart people doing all like I did.

Thanks,
Daniel



----------------------------------------------------------------------

>Comment By: Daniel (doolyo)
Date: 2005-08-18 18:09

Message:
Logged In: YES 
user_id=1320890

P.S.:
I have seen that we can use fix_url.py to fix the URL for a 
specific list. However, it does not seem to fix the links 
of /mailman/create and the others and thus does not solve 
the problem, as I want to have the SSL on that page.



----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1263239&group_id=103


More information about the Mailman-coders mailing list